concerns that businesses should have about the cloud.
In addition to insurance and specific risk management
approaches, Nigam emphasized the importance of choosing
what he has dubbed “CIA vendors” — meaning those cloud
technology providers that offer “confidentiality, integrity, and
availability.” Nigam also warned against focusing narrowly on
cloud or any other risks, saying that a holistic point of view is
required to protect organizations from diverse potential
threats to information safety, security, and privacy.

Security and Privacy Risks Rival TraditionalP&C Exposures

Adding further detail to the picture Nigam painted, the three
Zurich experts made it clear that information security, privacy
threats, and cyber-related exposures should be perceived and
addressed with the same level of concern as traditional
property and casualty exposures. Gregg Fergot, vice president
and head of technology underwriting at Zurich North America,
kicked off an in-depth discussion on the risk management
strategies and insurance coverage needed to protect
companies’ information, intellectual assets, and reputation.

Most companies of any significant size have already “done
the basics” — putting in firewalls, encrypting data, and
maintaining up-to-date information security protocols — to
protect their information-related assets, noted Larry Collins,
vice president for HSE risk engineering and e-solutions at
Zurich Services Corp. The question is how to go beyond this
and actually anticipate risks that potentially face the business
from all quarters.

As an illustrative example, Collins cited the “Night Dragon”attacks on oil and gas companies in 2009, noting that thesewere carefully targeted rather than random maliciousefforts. “The attackers were trying to figure out howto underbid competitors to ensure they wouldwin contracts when the went intocompetition with these energycompanies,” he explained.

To systematically mitigate a diversity of risks, Collins
recommended “a scenario-based process to understand
your exposures and to identify vulnerabilities.” In this
process, hazards are identified and assessed, their risk
profiles ranked, and risk improvement actions put in place
to address these with the appropriate prioritization. Expect
this process to involve robust discussion and diverging
viewpoints, he warned; the effort just to “create a simple
chart to categorize acceptable and unacceptable risks”
can result in “a heated conversation with your team.”

Financial Impact, Risk Transfer, and CoverageConsiderations

Data breaches and other cyber losses have many costs that
are at least partially transferrable, noted Tim Stapleton,
CIPP/US, who is assistant vice president and professional
liability product manager at Zurich North America. Looking
at a data breach example, an insured’s transferrable costs can
include direct expenses associated with crisis and reputation
management, forensics investigation costs, the costs
associated with notification to customers or others impacted
by the breach, and business interruption costs. Third-party
liabilities involved with some data breaches can include
regulatory fines and penalties as well as legal liability,
Stapleton added.

When it comes to data breaches and other losses associated
with the cloud, companies need to be careful to protect
themselves and not rely solely on vendors, said Stapleton.

“The reality is that most cloud providers cannot afford to
indemnify everybody for losses,” he said.

To ensure adequate insurance cover for a diversity of potential
cyber and information-security losses, Stapleton pointed
webinar attendees to three key areas: errors and omissions
policies (which cloud providers often purchase for basic
coverage), security and privacy liability coverage, and vendor
services such as immediate support in the case of a breach.

“In many cases, adequate coverage can reduce the blow to
the balance sheet and cover a good portion of transferrable
costs,” Stapleton said, adding that “no two E&O or security
and privacy policies are alike — so be sure to compare each
one to check for crucial elements” that apply to your
particular business exposures.

View the web seminar at

http://www.propertycasualty360.com/TheCloud

John W. De Witt, an event moderator and contributing editor for National
Underwriter Property & Casualty, PropertyCasualty360, and other insurance
industry publications, is principal and senior consultant for JW De Witt
Business Communications in New Salem, Mass.